Configuring An Authentication Request For An Identity Provider - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

Want assertion to be signed: Specifies that authentication assertions from the trusted provider
must be signed.
Artifact consumer URL: Specifies where the partner receives incoming SAML artifacts. For
example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS
name of the provider.
Post consumer URL: Specifies where the partner receives incoming SAML POST data. For
example, https://<dns>:8443/nidp/saml/spassertion_consumer. Replace <dns> with the DNS
name of the provider.
Service Provider: Specifies the public key certificate used to sign SAML data. You can
browse to locate the service provider certificate.
5 Click Finish.
5.4.5 Configuring an Authentication Request for an Identity
Provider
The Liberty and SAML 2.0 protocols have slightly different options for configuring an
authentication request.
"Configuring a Liberty Authentication Request" on page 159
"Configuring a SAML 2.0 Authentication Request" on page 160
Configuring a Liberty Authentication Request
Use this page to configure how an authentication request is created. When users authenticate to a
service provider, they can be given the option to federate their account identities with the preferred
identity provider. This process creates an account association between the identity provider and
service provider that enables single sign-on and single log-out.
Devices > Identity Servers > Edit > Liberty > [Identity Provider] > Authentication Card >
Authentication Request
Allow Federation: Determines whether federation is allowed. The federation options that control
when and how federation occurs can only be configured if the identity provider has been configured
to allow federation.
After authentication: Specifies that the federation request can be sent after the user has
authenticated (logged in) to the service provider. When you set only this option, users must log
in locally, then they can federate using the Federate option on the card in the Login page of the
Access Manager User Portal. Because the user is required to authenticate locally, you do not
need to set up user identification.
During authentication: Specifies whether federation can occur when the user selects the
authentication card of the identity provider. Typically, a user is not authenticated at the service
provider when this selection is made. When the identity provider sends a response to the
service provider, the user needs to be identified on the service provider to complete the
federation. If you enable this option, make sure you configure a user identification method. See
Section 8.1, "Selecting a User Identification Method for Liberty or SAML 2.0," on page
Configuring SAML and Liberty Trusted Providers 159
209.